Backup Database Reveals Scale of CCleaner Hack

A backup of a database containing information on Windows systems compromised via a maliciously modified version of the CCleaner software utility has provided investigators with a clearer view of the incident.

The backup was created on September 10, shortly after the attackers discovered that the server holding the original database ran out of space. On Sept. 12, the actors completely erased the database, which had become corrupt in the meantime.

It all started with unknown actors compromising Piriform’s servers and replacing the legitimate 32-bit CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 releases with modified ones containing backdoor code. The infected iterations were downloaded over 2.27 million times.

The initial findings in the investigation revealed that 700,000 infected systems had reported to the command and control (C&C) server between Sept. 12 and Sept. 16. The initial infection database was erased from the server on Sept. 12, but the attackers created a backup before that.

This backup revealed the connections to the C&C made between August 18 and Sept. 10, when the server ran out of space and the logging operation ceased. Thus, the researchers concluded that a total of 5,686,677 connections were made to the C&C and that a total of 1,646,536 unique machines (based on MAC addresses) reported to the server.

The backdoor code in the CCleaner installer also allowed attackers to deploy a stage 2 payload onto affected machines, but only 40 unique computers received it, Avast reveals. The attackers were very selective when deciding which computers to deliver the payload to, likely basing that decision on the infected PCs they could access.

The 40 machines were found to be part of the networks of well-known telecoms and tech companies worldwide, including Chunghwa Telecom, Nec, Samsung, Asus, Fujitsu, Sony, Dvrdns.org, O2, Gauselman, Singtel, Intel, and VMware.

“Clearly, the logs also indicate that the attackers were looking for additional high-profile companies to target, some of them potentially leading to additional supply-chain attacks (Carriers / ISPs, server hosting companies and domain registrars),” Avast notes.

The security researchers also discovered that the attackers had to conduct continuous server maintenance, as they connected 83 times to it. Based on the attackers’ active hours, the researchers also determined that they are most likely located in Russia or the Eastern part of Middle East / Central Asia and India. Moreover, none of the hit companies is from China, Russia, or India.

“Our security team has reached out to all companies proven to be part of the 2nd stage, and we’re committed to working with them to resolve the issue fully. Obviously, the fact that the 2nd stage payload has been delivered to a computer connected to a company network doesn’t mean that the company network has been compromised. However, proper investigation is in order and necessary to fully understand the impact and take remediation actions,” Avast says.